Background:
I have a updator feature in my program which will downloads updates to a directory specified be the user. Then user can install these updates whenever he/she wants by just opening them. These updates are nothing but a compressed archive file which is associated to be opened by my app.

Problem:
Now, I want when the user install the updates, my program should ensure that they are original updates created by me and are not modified by someone else. How can I ensure that? I have heard about Winrar authenticity verification. but I'm unsure whether it is good or not?

Edit: User have two ways to install the updates.

A) User download the updates from the server. An update file will get saved on user PC. User will open the update file to install it.

B) This is for user who don't have internet connectivity on his PC User download the update on a cyber cafe, copy it to his own PC and then install them.

Since in option B, user don't have internet connectivity in his PC, so my program can not check the base value on update server.

1 Answer
1

A hash can be provided along with the archive, and used to ensure that the entire patch contains what is expected. This is generally known as a checksum, (even if the term isn't 100% correct) and is commonly seen on some software sites as a means of verifying the result of a download. Typically, something like SHA-1 is used for the actual hash, since MD5 is known to have collisions.

Of course, the hash itself could be provided by someone with malicious intent, so it alone cannot be trusted.

Enter public / private key cryptography. You would keep the private key secret, and use it to sign your patches. The public key would be embedded in your client software, so that it can verify that the patch comes from someone who has the correct private key (presumably only you). You can read a bit more about digital signatures, which is typically built around the RSA algorithm.

Caveat: of course, if the client install was modified (cracked), someone could have installed their own public key in it. This means they could create their own patches and sign and install them. Since you're not fully in control of the client environment, there isn't anything you can do to stop this (short of "always-online", and even then...).

Edit: I'd also add a word of caution against home-brew solutions. It's all to easy to think something like, "Hey, I'll just come up with a clever little way to signal that the archive is genuine, like it must have a file whose name is the total file size of everything in the archive!". In this case, this algorithm would be the "secret". Unfortunately, it's going to be in your client code, and it'd take a skilled programmer a few minutes of disassembly and trawling through your code to figure it out. Please use tested algorithms like RSA!

Edit 2: Any commercial, off the shelf solutions are also fine (perhaps even preferred, since there's less chance of implementing it incorrectly), as long as they work along the lines I've outlined above. I'd investigate each solution carefully, and make a decision.